Apple released a security update for macOS High Sierra to fix root bug

Apple didn’t take long to fix a major security vulnerability detected in macOS High Sierra that allowed getting admin access to the computer without a password. The issue was reported on 28th of November.[1] One day later, Apple released a Security Update 2017-001[2] which fixes the flaw.

The release of the update was followed by company’s apology for putting user’s in danger:

“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

However, the company did not address and fix the bug in macOS High Sierra 10.13.2 which is currently available for the developers and public beta testers.

Software developer reported about the macOS High Sierra bug on Twitter

Developer Lemi Orhan Ergin was the one who spoke up about the issue with a root user on Twitter.[3] Anyone who got physical access to the Mac computer could get System Administrator access without a password. The flaw allowed only typing “root” as username, keeping the password form empty and clicking unlock button two times.

Simple as that anyone who had physical access to Mac computer could get access to it, change passwords or obtain other sensitive information stored on the device.

However, he was not the only one who found the flaw. The same issue was discussed in Apple developers forums a few weeks ago. However, the company did not pay attention to it. Ergin’s post on Twitter received lots of feedback. He was criticized for reporting the issue on the social network instead of contacting Apple directly.

Despite the harsh discussions in his profile, the problem was solved. The publicity helped, and Apple fixed the flaw immediately.

The bug is fixed, but new error emerges

Nevertheless, the major security bug in macOS High Sierra is fixed; the same update caused new problems for some Mac users.[4] Users reported that Security Update 2017-001 broke file-sharing feature. Problems might occur when macOS High Sierra 10.13.1 users try to authenticate or connect to file shares.

Fortunately, Apple quickly offered a solution to the problem.[5] Thus, if you encountered the same issue after the update, follow these steps to fix it:

Open Applications folder, go to Utilities folder and Open Terminal.

In the Terminal type this command: sudo /usr/libexec/configureLocalKDC.